Kaspersky researchers have uncovered a malware attack on Windows and macOS devices by the infamous Lazarus group. The group is apparently using Trojanised cryptocurrency exchanges to spread malware on laptops, including macOS devices. This new operation has been given the term AppleJeus, as it's the first time Lazarus has been reported to distributing malware on macOS machines. An attack was recognised in Asia, where the attackers penetrated the network of a cryptocurrency exchange using Trojanised cryptocurrency trading software.
The Lazarus group is thought to have links to North Korea, and a government funded threat group. This recent attack was done with the aim to steal cryptocurrency. Kaspersky notes that this is the first time it has seen a Lazarus distributed malware targeting macOS users as well, and said "it represents a wakeup call for everyone who uses this OS for cryptocurrency-related activity."
It is learnt that the malware arrives on a computer through an update to a third-party software app appearing to be for cryptocurrency trading. Kaspersky notes that it began when a company employee downloaded an app from a legitimate looking company website. This application sent information to back to the command and control server, and once the attackers ascertained that the computer is worth infecting, it sent malicious code in the form of a software update. The Trojan Fallchill is then installed on to the computer, and it gives attackers unlimited access to steal valuable financial information or to deploy additional tools for that purpose.
The AppleJeus operation was possible because of the seemingly legit looking cryptocurrency trading software that was installed. Kaspersky notes that the software vendor even has a valid digital certificate for signing its software and legitimate looking registration records for the domain.
Kaspersky recommends users tread with caution while installing any software related to cryptocurrency. "Do not automatically trust the code running on your systems. Neither an authentic looking website, nor a solid company profile, nor digital certificates guarantee the absence of backdoors," it added. The security firm also advised to use a robust security solution, equipped with malicious-behaviour detection technologies that enable even previously unknown threats to be caught. Also, it would be beneficial to use multi-factor authentication and hardware wallets if you are dealing with significant financial transactions. For this purpose, preferably use a standalone, isolated computer that you do not use to browse the Internet or read email.
Cybercriminal gang Lazarus is believed to be behind large scale cyber-attacks across the world including recent WannaCry ransomware, and it was also reported to have access to few servers in India as well.